mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 23:28:59 +01:00
Move all function declarations from prog.footer6 to prog.header6
This commit is contained in:
parent
a0482132c6
commit
7adb9b12bb
@ -1,244 +1,6 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
# Code imported from /usr/share/shorewall/prog.footer6
|
# Code imported from /usr/share/shorewall/prog.footer6
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
|
||||||
# Remove all Shorewall-added rules
|
|
||||||
#
|
|
||||||
clear_firewall() {
|
|
||||||
stop_firewall
|
|
||||||
|
|
||||||
setpolicy INPUT ACCEPT
|
|
||||||
setpolicy FORWARD ACCEPT
|
|
||||||
setpolicy OUTPUT ACCEPT
|
|
||||||
|
|
||||||
run_iptables -F
|
|
||||||
|
|
||||||
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
|
||||||
|
|
||||||
run_clear_exit
|
|
||||||
|
|
||||||
set_state "Cleared"
|
|
||||||
|
|
||||||
logger -p kern.info "$PRODUCT Cleared"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Issue a message and stop/restore the firewall
|
|
||||||
#
|
|
||||||
fatal_error()
|
|
||||||
{
|
|
||||||
echo " ERROR: $@" >&2
|
|
||||||
|
|
||||||
if [ $LOG_VERBOSE -gt 1 ]; then
|
|
||||||
timestamp="$(date +'%_b %d %T') "
|
|
||||||
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
|
||||||
fi
|
|
||||||
|
|
||||||
stop_firewall
|
|
||||||
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
|
|
||||||
exit 2
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Issue a message and stop
|
|
||||||
#
|
|
||||||
startup_error() # $* = Error Message
|
|
||||||
{
|
|
||||||
echo " ERROR: $@: Firewall state not changed" >&2
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ $LOG_VERBOSE -gt 1 ]; then
|
|
||||||
timestamp="$(date +'%_b %d %T') "
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
echo "${timestamp} ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
echo "${timestamp} ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
echo "${timestamp} ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
kill $$
|
|
||||||
exit 2
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Run iptables and if an error occurs, stop/restore the firewall
|
|
||||||
#
|
|
||||||
run_iptables()
|
|
||||||
{
|
|
||||||
local status
|
|
||||||
|
|
||||||
while [ 1 ]; do
|
|
||||||
$IP6TABLES $@
|
|
||||||
status=$?
|
|
||||||
[ $status -ne 4 ] && break
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $status -ne 0 ]; then
|
|
||||||
error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
|
|
||||||
stop_firewall
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Run iptables retrying exit status 4
|
|
||||||
#
|
|
||||||
do_iptables()
|
|
||||||
{
|
|
||||||
local status
|
|
||||||
|
|
||||||
while [ 1 ]; do
|
|
||||||
$IP6TABLES $@
|
|
||||||
status=$?
|
|
||||||
[ $status -ne 4 ] && return $status;
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Run iptables and if an error occurs, stop/restore the firewall
|
|
||||||
#
|
|
||||||
run_ip()
|
|
||||||
{
|
|
||||||
if ! $IP -6 $@; then
|
|
||||||
error_message "ERROR: Command \"$IP -6 $@\" Failed"
|
|
||||||
stop_firewall
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Run tc and if an error occurs, stop/restore the firewall
|
|
||||||
#
|
|
||||||
run_tc() {
|
|
||||||
if ! $TC $@ ; then
|
|
||||||
error_message "ERROR: Command \"$TC $@\" Failed"
|
|
||||||
stop_firewall
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Restore the rules generated by 'drop','reject','logdrop', etc.
|
|
||||||
#
|
|
||||||
restore_dynamic_rules() {
|
|
||||||
if [ -f ${VARDIR}/save ]; then
|
|
||||||
progress_message2 "Setting up dynamic rules..."
|
|
||||||
rangematch='source IP range'
|
|
||||||
while read target ignore1 ignore2 address ignore3 rest; do
|
|
||||||
case $target in
|
|
||||||
DROP|reject|logdrop|logreject)
|
|
||||||
case $rest in
|
|
||||||
$rangematch*)
|
|
||||||
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -z "$rest" ]; then
|
|
||||||
run_iptables -A dynamic -s $address -j $target
|
|
||||||
else
|
|
||||||
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < ${VARDIR}/save
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
|
||||||
#
|
|
||||||
debug_restore_input() {
|
|
||||||
local first second rest table chain
|
|
||||||
#
|
|
||||||
# Clear the ruleset
|
|
||||||
#
|
|
||||||
qt1 $IP6TABLES -t mangle -F
|
|
||||||
qt1 $IP6TABLES -t mangle -X
|
|
||||||
|
|
||||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
|
||||||
qt1 $IP6TABLES -t mangle -P $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
qt1 $IP6TABLES -t raw -F
|
|
||||||
qt1 $IP6TABLES -t raw -X
|
|
||||||
|
|
||||||
for chain in PREROUTING OUTPUT; do
|
|
||||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
qt1 $IP6TABLES -t filter -F
|
|
||||||
qt1 $IP6TABLES -t filter -X
|
|
||||||
|
|
||||||
for chain in INPUT FORWARD OUTPUT; do
|
|
||||||
qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
while read first second rest; do
|
|
||||||
case $first in
|
|
||||||
-*)
|
|
||||||
#
|
|
||||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
|
||||||
#
|
|
||||||
eval $IP6TABLES -t $table $first $second $rest
|
|
||||||
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
|
||||||
stop_firewall
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
:*)
|
|
||||||
chain=${first#:}
|
|
||||||
|
|
||||||
if [ "x$second" = x- ]; then
|
|
||||||
do_iptables -t $table -N $chain
|
|
||||||
else
|
|
||||||
do_iptables -t $table -P $chain $second
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
|
||||||
stop_firewall
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
#
|
|
||||||
# This grotesque hack with the table names works around a bug/feature with ash
|
|
||||||
#
|
|
||||||
'*'raw)
|
|
||||||
table=raw
|
|
||||||
;;
|
|
||||||
'*'mangle)
|
|
||||||
table=mangle
|
|
||||||
;;
|
|
||||||
'*'nat)
|
|
||||||
table=nat
|
|
||||||
;;
|
|
||||||
'*'filter)
|
|
||||||
table=filter
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Give Usage Information
|
# Give Usage Information
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user